Messages

I've got a PAT rule that I can't seem to get working, verified via pcaps.

I've got a VM running rootless podman in a separate VLAN. OPNsense is routing between VLANs for me.
I don't want to give my reverse proxy container privileges to bind on ports 80 and 443, so I'd like to use OPNsense to redirect traffic destined for 80 and 443 to ports 8084 and 8443 respectively, however the PAT rule I've created is not working.

Attached are screenshots of the rules.

Does anyone see anything immediately incorrect?

Hi Franco,

Thank you for clearing that up! I appreciate it.
Opnsense is in prod on my home network now again.

I'm coming back to opnsense after not being able to run it for a while, I noticed this entry during boot that I hadn't seen before:

Configuring firewall.... pflog0: permanently promiscuous mode enabled
done.

Checking via cli, and knowing that my WAN interface is VMX0, if I run configctl interface show bpf, I see:
"interface-name":"pflog0","promiscuous":true.

I could see promiscuous mode being a requirement on the inside interface, for VLANs/IDS/IPS or something, but it appears to be on the outside interface only.

I'm just wondering if that's normal, is promiscuous mode a requirement of the pf? Want to make sure before I put this in prod.

Running OPNsense 23.1.11-amd64 in a VM.

Thanks!

Check firewall rules of interface which network your minecraft server belongs to.

By default incoming traffic from different networks is blocked.

but wouldn't ping count as traffic and thus be blocked..?

I'll make a rule and try it out though.

Not quite. Ping tells you if route exists and you can block Pingign by blocking ICMP traffic (firewall blocks TCP/UDP traffic by default, ping is neither of those).

Also you will be able to ping pretty much any IP to which there's a route to and if ICMP traffic isn't blocked. Again, ping only tells you if there's a working route to that address, traceroute would give you more detailed results on routes.

Interesting, thanks.

firewall rule did it!

Check firewall rules of interface which network your minecraft server belongs to.

By default incoming traffic from different networks is blocked.

but wouldn't ping count as traffic and thus be blocked..?

I'll make a rule and try it out though.

bump for visibility? any suggestions?

Attached rule details for the openvpn rule

I believe that should be the case, no? NAT isn't my stong suit so I could be mistaken, but I don't think so in this case.

You still have to go through the default gateway for the firewall to know where to route traffic, which should be before packets hit NAT.
Does the trace to 10.20.15.20 succeed?

OpenVPN does allow you to create a client-server setup https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

There is also wireguard, but I haven't managed to get that working correctly yet

So I've set this up a few years ago (albeit on pfsense instead) but I made the switch to OPNsense earlier this year and couldn't be happier.

I'm rebuilding my server environment after not running it for a while, and now I'm getting my minecraft server running on docker again.

The trouble is, that while I can get my friend connected to openvpn, and he can ping the server's IP, minecraft fails to allow him to join (connection timeout error). I can join fine (the server is running on a different VLAN than my LAN).

General setup is:
OPNsense does layer 3, vlan's terminate here, openvpn terminates here
trunk port to cisco switch, and trunks for 2 esxi hosts

I went through the openvpn wizard, so I have the default firewall rules in place. I'm not really sure where to look, as docker (running on a slimmed down ubuntu VM) is accepting connections (works from my LAN, also verified iptables rule on the ubuntu guest)

Anyone have suggestions on where to look please?

# File starts below this line, use Copy/Paste #####################
# Check for interface specific settings and add accordingly.
# These ae tunables to improve network performance on Intel igb driver NICs

# Flow Control (FC) 0=Disabled 1=Rx Pause 2=Tx Pause 3=Full FC
# This tunable must be set according to your configuration. VERY IMPORTANT!
# Set FC to 0 (<x>) on all interfaces
hw.igb.<x>.fc=0 #Also put this in System Tunables hw.igb.<x>.fc: value=0

Just wanted to throw my .02 at this in case anyone else sees it... no matter what I did above, I could not get FC disabled. The solution was to add "dev.igb.0.fc" to tuneables, with a value of 0. That resolved it for me.

I'm trying to verify now that "hw.igb.enable_aim=1" works, but I'm not really sure how.
I'm also wondering how to check/enable handling VLANs on the hardware level, not sure how to go about that.


This is on OPNsense OPNsense 21.7.5-amd64, FreeBSD 12.1-RELEASE-p21-HBSD

The system is an HP ProLiant ML310e Gen8
Intel Xeon E3-1220 V2 3.10 GHz 4c/4t
16 GBDDR3 ECC
120 GB SSD
Intel i350 T4 V1

Symmetrical 1Gbps internet connection.

I'm not running IDS/IPS yet but preparing to.